Hi, I am currently receiving an alert where the license consumption is exceeding 80%.
I need to know which index is consuming more license in the last 30 days or last 7 days.
This query shows the total license consumption but I need to know which index or sourcetype is generating the most license consumption.
`sim_licensing_summary_base`
| `sim_licensing_summary_no_split("")`
| append
[| search (index=summary source="splunk-entitlements")
| bin _time span=1d
| stats max(ingest_license) as license by _time]
| stats values(*) as * by _time
| rename license as "license limit"
| fields - volume
I'm not familiar with the sim_licensing_* macros so can't give very specific advise. However, if there is a "sim_licensing_summary_no_split" macro then I have to think there is one similar to "sim_licensing_summary_by_index".
If not, then expand the macros (using CTRL-Shift-E) and modify the stats command to group results by index.
I'm not familiar with the sim_licensing_* macros so can't give very specific advise. However, if there is a "sim_licensing_summary_no_split" macro then I have to think there is one similar to "sim_licensing_summary_by_index".
If not, then expand the macros (using CTRL-Shift-E) and modify the stats command to group results by index.